In May 2025, threat actors increasingly attempted to download and execute a sophisticated malware known as HijackLoader, often using DeerStealer—an information-stealer marketed on dark-web forums by the user "LuciferXfiles"—as the final payload. The primary access method observed in these attack chains is called ClickFix, which exploits users by redirecting them to phishing pages prompting the execution of malicious commands in the Windows Run Prompt. The initial sequence involves loading an unsigned version of a legitimate DLL named "cmdres.dll," which has been manipulated to facilitate the execution of HijackLoader.